Home/Sigma rules
Sigma

Sigma detection rules

7 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

7 shown of 7
high
HackTool - WinPwn Execution
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
status test author Swachchhanda Shrawan Poudel id d557dc06-62e8-4468-a8e8-7984124908ce
view Sigma YAML 
title: HackTool - WinPwn Execution
id: d557dc06-62e8-4468-a8e8-7984124908ce
related:
    - id: 851fd622-b675-4d26-b803-14bc7baa517a
      type: similar
status: test
description: |
    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - Unknown
level: high
high
HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
status test author Swachchhanda Shrawan Poudel id 851fd622-b675-4d26-b803-14bc7baa517a
view Sigma YAML 
title: HackTool - WinPwn Execution - ScriptBlock
id: 851fd622-b675-4d26-b803-14bc7baa517a
related:
    - id: d557dc06-62e8-4468-a8e8-7984124908ce
      type: similar
status: test
description: |
    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: ps_script
    product: windows
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
level: high
high
SQLite Chromium Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
status test author TropChaud id 24c77512-782b-448a-8950-eddb0785fc71
view Sigma YAML 
title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: TropChaud
date: 2022-12-19
modified: 2023-01-19
tags:
    - attack.credential-access
    - attack.t1539
    - attack.t1555.003
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_sql:
        - Product: SQLite
        - Image|endswith:
              - '\sqlite.exe'
              - '\sqlite3.exe'
    selection_chromium:
        CommandLine|contains:
            - '\User Data\' # Most common folder for user profile data among Chromium browsers
            - '\Opera Software\' # Opera
            - '\ChromiumViewer\' # Sleipnir (Fenrir)
    selection_data:
        CommandLine|contains:
            - 'Login Data' # Passwords
            - 'Cookies'
            - 'Web Data' # Credit cards, autofill data
            - 'History'
            - 'Bookmarks'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
medium
Access to Browser Login Data
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
status test author frack113 id fc028194-969d-4122-8abe-0470d5b8f12f
view Sigma YAML 
title: Access to Browser Login Data
id: fc028194-969d-4122-8abe-0470d5b8f12f
related:
    - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d
      type: obsolete
    - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
      type: similar
status: test
description: |
    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
    Web browsers typically store the credentials in an encrypted format within a credential store.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
author: frack113
date: 2022-01-30
tags:
    - attack.credential-access
    - attack.t1555.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmd:
        ScriptBlockText|contains|all:
            - Copy-Item
            - '-Destination'
    selection_path:
        ScriptBlockText|contains:
            - '\Opera Software\Opera Stable\Login Data'
            - '\Mozilla\Firefox\Profiles'
            - '\Microsoft\Edge\User Data\Default'
            - '\Google\Chrome\User Data\Default\Login Data'
            - '\Google\Chrome\User Data\Default\Login Data For Account'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
PUA - WebBrowserPassView Execution
Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
status test author frack113 id d0dae994-26c6-4d2d-83b5-b3c8b79ae513
view Sigma YAML 
title: PUA - WebBrowserPassView Execution
id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513
status: test
description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md
author: frack113
date: 2022-08-20
modified: 2023-02-14
tags:
    - attack.credential-access
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'Web Browser Password Viewer'
        - Image|endswith: '\WebBrowserPassView.exe'
    condition: selection
falsepositives:
    - Legitimate use
level: medium
medium
Potential Browser Data Stealing
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
status test author Nasreddine Bencherchali (Nextron Systems) id 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
view Sigma YAML 
title: Potential Browser Data Stealing
id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
related:
    - id: fc028194-969d-4122-8abe-0470d5b8f12f
      type: derived
status: test
description: |
    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
    Web browsers typically store the credentials in an encrypted format within a credential store.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
    - https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
modified: 2025-03-19
tags:
    - attack.credential-access
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd:
        - CommandLine|contains:
              - 'copy-item'
              - 'copy '
              - 'cpi '
              - ' cp '
              - 'move '
              - 'move-item'
              - ' mi '
              - ' mv '
        - Image|endswith:
              - '\esentutl.exe' # akira ransomware
              - '\xcopy.exe'
              - '\robocopy.exe'
        - OriginalFileName:
              - 'esentutl.exe'
              - 'XCOPY.EXE'
              - 'robocopy.exe'
    selection_path:
        CommandLine|contains:
            - '\Amigo\User Data'
            - '\BraveSoftware\Brave-Browser\User Data'
            - '\CentBrowser\User Data'
            - '\Chromium\User Data'
            - '\CocCoc\Browser\User Data'
            - '\Comodo\Dragon\User Data'
            - '\Elements Browser\User Data'
            - '\Epic Privacy Browser\User Data'
            - '\Google\Chrome Beta\User Data'
            - '\Google\Chrome SxS\User Data'
            - '\Google\Chrome\User Data\'
            - '\Kometa\User Data'
            - '\Maxthon5\Users'
            - '\Microsoft\Edge\User Data'
            - '\Mozilla\Firefox\Profiles'
            - '\Nichrome\User Data'
            - '\Opera Software\Opera GX Stable\'
            - '\Opera Software\Opera Neon\User Data'
            - '\Opera Software\Opera Stable\'
            - '\Orbitum\User Data'
            - '\QIP Surf\User Data'
            - '\Sputnik\User Data'
            - '\Torch\User Data'
            - '\uCozMedia\Uran\User Data'
            - '\Vivaldi\User Data'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
low
Suspicious File Access to Browser Credential Storage
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.
status experimental author frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore id a1dfd976-4852-41d4-9507-dc6590a3ccd0
view Sigma YAML 
title: Suspicious File Access to Browser Credential Storage
id: a1dfd976-4852-41d4-9507-dc6590a3ccd0
status: experimental
description: |
    Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.
    Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.
    This behavior is often commonly observed in credential stealing malware.
references:
    - https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
    - https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore
date: 2025-05-22
tags:
    - attack.credential-access
    - attack.t1555.003
    - attack.discovery
    - attack.t1217
logsource:
    category: file_access
    product: windows
detection:
    selection_browser_paths:
        FileName|contains:
            - '\Sputnik\Sputnik'
            - '\MapleStudio\ChromePlus'
            - '\QIP Surf'
            - '\BlackHawk'
            - '\7Star\7Star'
            - '\CatalinaGroup\Citrio'
            - '\Google\Chrome'
            - '\Coowon\Coowon'
            - '\CocCoc\Browser'
            - '\uCozMedia\Uran'
            - '\Tencent\QQBrowser'
            - '\Orbitum'
            - '\Slimjet'
            - '\Iridium'
            - '\Vivaldi'
            - '\Chromium'
            - '\GhostBrowser'
            - '\CentBrowser'
            - '\Xvast'
            - '\Chedot'
            - '\SuperBird'
            - '\360Browser\Browser'
            - '\360Chrome\Chrome'
            - '\Comodo\Dragon'
            - '\BraveSoftware\Brave-Browser'
            - '\Torch'
            - '\UCBrowser\'
            - '\Blisk'
            - '\Epic Privacy Browser'
            - '\Nichrome'
            - '\Amigo'
            - '\Kometa'
            - '\Xpom'
            - '\Microsoft\Edge'
            - '\Liebao7Default\EncryptedStorage'
            - '\AVAST Software\Browser'
            - '\Kinza'
            - '\Mozilla\SeaMonkey\'
            - '\Comodo\IceDragon\'
            - '\8pecxstudios\Cyberfox\'
            - '\FlashPeak\SlimBrowser\'
            - '\Moonchild Productions\Pale Moon\'
    selection_browser_subpaths:
        FileName|contains:
            - '\Profiles\'
            - '\User Data'
    selection_cred_files:
        - FileName|contains:
              - '\Login Data'
              - '\Cookies'
              - '\EncryptedStorage'
              - '\WebCache\'
        - FileName|endswith:
              - 'cert9.db'
              - 'cookies.sqlite'
              - 'formhistory.sqlite'
              - 'key3.db'
              - 'key4.db'
              - 'Login Data.sqlite'
              - 'logins.json'
              - 'places.sqlite'
    filter_main_img:
        Image|endswith:
            - '\Sputnik.exe'
            - '\ChromePlus.exe'
            - '\QIP Surf.exe'
            - '\BlackHawk.exe'
            - '\7Star.exe'
            - '\Sleipnir5.exe'
            - '\Citrio.exe'
            - '\Chrome SxS.exe'
            - '\Chrome.exe'
            - '\Coowon.exe'
            - '\CocCocBrowser.exe'
            - '\Uran.exe'
            - '\QQBrowser.exe'
            - '\Orbitum.exe'
            - '\Slimjet.exe'
            - '\Iridium.exe'
            - '\Vivaldi.exe'
            - '\Chromium.exe'
            - '\GhostBrowser.exe'
            - '\CentBrowser.exe'
            - '\Xvast.exe'
            - '\Chedot.exe'
            - '\SuperBird.exe'
            - '\360Browser.exe'
            - '\360Chrome.exe'
            - '\dragon.exe'
            - '\brave.exe'
            - '\torch.exe'
            - '\UCBrowser.exe'
            - '\BliskBrowser.exe'
            - '\Epic Privacy Browser.exe'
            - '\nichrome.exe'
            - '\AmigoBrowser.exe'
            - '\KometaBrowser.exe'
            - '\XpomBrowser.exe'
            - '\msedge.exe'
            - '\LiebaoBrowser.exe'
            - '\AvastBrowser.exe'
            - '\Kinza.exe'
            - '\seamonkey.exe'
            - '\icedragon.exe'
            - '\cyberfox.exe'
            - '\SlimBrowser.exe'
            - '\palemoon.exe'
    filter_main_path:
        Image|contains:
            - '\Sputnik\'
            - '\MapleStudio\'
            - '\QIP Surf\'
            - '\BlackHawk\'
            - '\7Star\'
            - '\Fenrir Inc\'
            - '\CatalinaGroup\'
            - '\Google\'
            - '\Coowon\'
            - '\CocCoc\'
            - '\uCozMedia\'
            - '\Tencent\'
            - '\Orbitum\'
            - '\Slimjet\'
            - '\Iridium\'
            - '\Vivaldi\'
            - '\Chromium\'
            - '\GhostBrowser\'
            - '\CentBrowser\'
            - '\Xvast\'
            - '\Chedot\'
            - '\SuperBird\'
            - '\360Browser\'
            - '\360Chrome\'
            - '\Comodo\'
            - '\BraveSoftware\'
            - '\Torch\'
            - '\UCBrowser\'
            - '\Blisk\'
            - '\Epic Privacy Browser\'
            - '\Nichrome\'
            - '\Amigo\'
            - '\Kometa\'
            - '\Xpom\'
            - '\Microsoft\'
            - '\Liebao7\'
            - '\AVAST Software\'
            - '\Kinza\'
            - '\Mozilla\'
            - '\8pecxstudios\'
            - '\FlashPeak\'
            - '\Moonchild Productions\'
    filter_main_system:
        Image: System
        ParentImage: Idle
    filter_main_generic:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    filter_optional_defender:
        Image|contains: '\Microsoft\Windows Defender\'
        Image|endswith:
            - '\MpCopyAccelerator.exe'
            - '\MsMpEng.exe'
    filter_optional_thor:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    filter_optional_msiexec:
        ParentImage: 'C:\Windows\System32\msiexec.exe'
    filter_optional_other:
        Image|endswith: '\everything.exe'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Antivirus, Anti-Spyware, Anti-Malware Software
    - Legitimate software accessing browser data for synchronization or backup purposes.
    - Legitimate software installed on partitions other than "C:\"
level: low
Showing 1-7 of 7
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin